Closed Bug 801638 Opened 9 years ago Closed 7 years ago
.mozilla .org Form Start
Hello, My name is Siddhesh Gawde, I am a security researcher ,I have found one vulnerability on an sub-domain of mozilla Details: Type of issue: XSS Browser: Mozilla Firefox v14.0.1 Operating System: Windows 7 Date of finding: 12/10/2012 Website Link: https://wiki.mozilla.org Links: The xss vuln is of post type here ,we need to post data here: https://wiki.mozilla.org/Special:FormStart Post data is : page_name=xsss&namespace=&super_page=¶ms=1087794</script><script>alert(0)</script><"&form=11 This will get the alert box to pop up instantly ! I have attached image of the vulnerability (As proof) of the link which I have mentioned above. If you need any other information about it then please let me know. Eagerly waiting for your reply. Thank you, Siddhesh Gawde.
Might this be a duplicate of the root issue that is behind bug 761114?
9 years ago
I can't seem to reproduce this, but I might not be doing it right. Is this still reproducible?
I can't seem to repro either, this may have been addressed by the most recent wiki updates.
Not able to reproduce this one , the layout is changed completely.
Sorry i made a mistake while checking it acually. I am still able to reproduce it. poc: http://gyazo.com/adc71a0b73d750d96bf7e4ca4573b2ad Request : LINK: https://wiki.mozilla.org/Special:FormStart HEADERS: Host: wiki.mozilla.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://wiki.mozilla.org/Special:FormStart Cookie: __utma=132703880.484202267.1413400289.1413400289.1413468159.2; __utmz=132703880.1413468159.2.2.utmcsr=bugzilla.mozilla.org|utmccn=(referral)|utmcmd=referral|utmcct=/show_bug.cgi; optimizelySegments=%7B%222000810488%22%3A%22false%22%2C%222017550344%22%3A%22ff%22%2C%221994990450%22%3A%22none%22%2C%222011280991%22%3A%22direct%22%7D; optimizelyEndUserId=oeu1413467954737r0.04618477120119591; optimizelyBuckets=%7B%7D; __utmb=132703818.104.22.1683468159; __utmc=132703880; __utmt=1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 50 POST DATA: page_name=x&form=11&namespace=&super_page=¶ms='"></script><script>alert(0)</script><" I am using mozilla v29
Ah, I can indeed reproduce that way. Thanks, Siddhesh.
This appears to still be present in the latest version of the extension: https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FSemanticForms/b4935cd735bdb8e67c6eb18661eedf511d3c8315/specials%2FSF_FormStart.php#L194
I just confirmed this, this is the first time I had seen it. https://bugzilla.wikimedia.org/show_bug.cgi?id=72436 (I can add anyone from Mozilla who wants access, just need to know your user on our instance). We'll get a patch out asap to fix the problem, and coordinate getting an official patch from the maintainers of that extension into the main repo, probably by next week.
(In reply to csteipp from comment #10) > I just confirmed this, this is the first time I had seen it. > > https://bugzilla.wikimedia.org/show_bug.cgi?id=72436 (I can add anyone from > Mozilla who wants access, just need to know your user on our instance). I'm the same on there as here; please add me. > We'll get a patch out asap to fix the problem, and coordinate getting an > official patch from the maintainers of that extension into the main repo, > probably by next week. We push to our environments every Thursday, FWIW.
Gordon, I just added you to our bug. The extension maintainer made a public patch for it (https://gerrit.wikimedia.org/r/#/c/168618/). I don't have an SMW dev instance, but that should solve the issue.
Whiteboard: [site:wiki.mozilla.org] → [site:wiki.mozilla.org] [dev=2014-10-30]
With the upgrade of the semantic extensions (bug 1081712), this should be fixed.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
This is still broken: https://wiki.mozilla.org/Special:FormStart?page_name=x&form=11&namespace=&super_page=¶ms='"></script><script>alert('this is still broken')</script><"
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
OK, SemanticForms has been upgraded to 3.1, and it looks like this is now fixed for real.
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
Whiteboard: [site:wiki.mozilla.org] [dev=2014-10-30] → [site:wiki.mozilla.org] [dev=2015-02-05] [stage=2015-02-05] [prod=2015-02-05]
You need to log in before you can comment on or make changes to this bug.